You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs-ref-conceptual/authenticate-azure-cli-service-principal.md
+15-7
Original file line number
Diff line number
Diff line change
@@ -5,10 +5,10 @@ ms.date: 09/02/2024
5
5
ms.topic: concept-article
6
6
ms.service: azure-cli
7
7
ms.custom: devx-track-azurecli
8
-
#customer intent: As an app developer, I need to security automate authentication to Azure using a service principal.
8
+
#customer intent: As an app developer, I need to security automate authentication to Azure using a service principal.
9
9
---
10
10
11
-
# Sign into Azure with a service principal using the Azure CLI
11
+
# Sign into Azure with a service principal using the Azure CLI
12
12
13
13
Service principals are accounts not tied to any particular user, which can have permissions on them assigned through
14
14
predefined roles. Authenticating with a service principal is the best way to write secure scripts or programs,
@@ -18,32 +18,40 @@ about service principals, see [Work with Azure service principals using the Azur
18
18
To sign in with a service principal, you need:
19
19
20
20
* The URL or name associated with the service principal
21
-
* The service principal password, or the X509 certificate used to create the service principal in PEM format
22
-
* The tenant associated with the service principal, as either an `.onmicrosoft.com` domain or Azure object ID
21
+
* The service principal client secret, or the X509 certificate used to create the service principal in PEM format
22
+
* The tenant associated with the service principal, as either an `.onmicrosoft.com` domain or Microsoft Entra tenant ID
23
23
24
24
Note two important facts when working with service principals and the Azure CLI:
25
25
26
26
* A **CERTIFICATE** must be appended to the **PRIVATE KEY** within a PEM file. For an example of a PEM file format, see [Certificate-based authentication](./azure-cli-sp-tutorial-3.md).
27
27
28
28
* If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. To retrieve the certificate for `az login`, see [Retrieve certificate from Key Vault](./azure-cli-sp-tutorial-3.md#work-with-azure-key-vault).
29
29
30
+
Log in with client secret:
31
+
32
+
```azurecli-interactive
33
+
az login --service-principal --username APP_ID --password CLIENT_SECRET --tenant TENANT_ID
34
+
```
35
+
36
+
Log in with certificate:
37
+
30
38
```azurecli-interactive
31
-
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
39
+
az login --service-principal --username APP_ID --certificate /path/to/cert.pem --tenant TENANT_ID
32
40
```
33
41
34
42
> [!IMPORTANT]
35
43
> If you want to avoid displaying your password on console and are using `az login` interactively,
Copy file name to clipboardExpand all lines: docs-ref-conceptual/azure-cli-sp-tutorial-3.md
+2-7
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ keywords: azure service principal, create service principal azure, create servic
10
10
11
11
# Use an Azure service principal with certificate-based authentication
12
12
13
-
When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: **password-based authentication** and **certificate-based authentication**.
13
+
When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: **password-based authentication** and **certificate-based authentication**.
14
14
15
15
We recommend using certificate-based authentication due to the security restrictions of password-based authentication. Certificate-based authentication enables you to adopt a phishing resistant authentication by using [conditional access policies](/azure/active-directory/conditional-access/overview), which better protects Azure resources. To learn more about why certificate-based authentication is more secure, see [Microsoft Entra certificate-based authentication](/azure/active-directory/authentication/concept-certificate-based-authentication).
az login --service-principal -u "<myAppClientID>" -p cert.pem --tenant "<myTenantID>"
107
105
```
108
106
109
107
## Convert an existing PKCS12 file
@@ -142,10 +140,7 @@ The output includes credentials that you must protect. Be sure that you do not i
142
140
To sign in with a certificate, the certificate must be available locally as a PEM or DER file in ASCII format. PKCS#12 files (.p12/.pfx) don't work. When you use a PEM file, the **PRIVATE KEY** and **CERTIFICATE** must be appended together within the file. You don't need to prefix the path with an `@` like you do with other az commands.
143
141
144
142
```azurecli-interactive
145
-
az login --service-principal \
146
-
--username myServicePrincipalID \
147
-
--tenant myOwnerOrganizationId \
148
-
--password /path/to/cert
143
+
az login --service-principal --username APP_ID --certificate /path/to/cert.pem --tenant TENANT_ID
Copy file name to clipboardExpand all lines: docs-ref-conceptual/upcoming-breaking-changes.md
+6
Original file line number
Diff line number
Diff line change
@@ -63,6 +63,12 @@ The [db-up](https://github.com/Azure/azure-cli-extensions/tree/main/src/db-up) e
63
63
64
64
- This command group has been deprecated and will be removed in next breaking change release(2.67.0). Use 'az network public-ip ddos-protection' instead.
65
65
66
+
## profile
67
+
68
+
### `az login`
69
+
70
+
- The `--password` parameter will not accept service principal certificate. Use the `--certificate` parameter instead.
71
+
66
72
## sql
67
73
68
74
[Link to sql mi link subgroup](/cli/azure/sql/mi/link)
0 commit comments